How macOS Server isolates your intranet from Internet attacks
If you have a network router that shares its Internet connection with computers on your intranet, the router isolates your intranet from the Internet. These Internet-sharing routers protect your intranet against malicious attacks from the Internet by blocking communications that originate outside the intranet.
Internet users can access your exposed services by using an Internet host name, such as server.example.com, that you register with a public DNS registrar or a DNS hosting service. Your registered host name points to the public IP address you got from your ISP and configured your router to use. Internet users can also access your exposed services by using your public IP address directly instead of by using an Internet host name.
When using your Internet host name or public IP address to access Profile Manager, users actually reach your router. If you exposed the service, your router forwards the request to your server. If you didn’t expose the service, the router doesn’t forward the request, and the user can’t get that service from your server.